You may have some documents in your web directory that you don't want the whole world to have access to. From a user's standpoint, you've often come across pages that require a password or that simply tell you that you aren't authorized to use this page. In this section, you'll learn how to protect parts of your site from prying eyes through user authentication and authorization. Restricting Access with allow and denyApache lets you restrict access to your site based on IP addresses or hostnames. This is done through directives in httpd.conf called allow and deny. Suppose you plan to host an apt package repository at susefan.com/pub/, but you don't want anyone outside of susefan.com downloading its files with a browser. You would add these lines to httpd.conf: <Location /pub> SetHandler pub Order deny, allow Deny from all Allow from susefan.com </Location> Note the four statements. First, we told Apache that when someone tries to access the /pub directory, it needs to check whether the person is allowed. Then we set the order for Apache to check first process the deny statements and then the allow statements. In this case, the statements are easy to follow: Deny everyone, unless the request originates from a host within the susefan.com domain. You can describe your limits for either deny or allow in six ways:
AuthenticationMany organizations have a members-only section of their website where information is stored that the rest of the world can't access. To see the information in such a restricted area, users must prove they are authorized to do so, usually by providing a username and password. Apache Basic Authentication is the most common authentication method used, probably because it is quite straightforward in its approach. When someone attempts to access a protected page, Apache asks for a username and a password. It then verifies the username and password and if successful, Apache serves the request. Caution Basic Authentication does not encrypt the password when you type it in, so don't use valuable passwords (such as your login password) for your protected page. Similarly, webmasters should not use Basic Authentication for highly sensitive data. You have the option of using Apache Digest Authentication (which is more secure, but not always supported by browsers), using SSL/TSL or finding some more secure means of making the data available to a selected group. Consult the Apache documentation for information on Digest Authentication. The first step in implementing Basic Authentication is to create a plain-text list of usernames and passwords. This is done using htpasswd2, a script included with the Apache2 package and installed to the same directory as httpd and apachectl. You should store these passwords away from your main Apache installation directory, making it harder for rogue applications to find them, so make a new directory (as the SuperUser) to hold this file, such as /usr/local/httpd2/passwd first. Note Basic Authentication is implemented with the mod_auth module. In the unlikely event that you get a command not found error message when running htpasswd2, make sure this module is installed. When you have created this directory, type this command to create a new hidden password file, with the first user included: ./htpasswd -c /usr/local/httpd2/passwd/.htpasswd mikemc You'll be prompted twice for this user's password: New password: Re-type new password: Adding password for user mikemc To add new users to this file, use the same command without the -c switch (that creates a new file): ./htpasswd /usr/local/httpd2/passwd/.htpasswd newuser Next, you need to tell Apache to refer to .htpasswd when serving a protected page. You do this in one of two ways: directly through httpd.conf or by creating a new .htaccess file. The .htaccess file should be located in the directory you want to protect; in the example used in the allow/deny section, this would be /pub/.htaccess. In httpd.conf, you would create a new section labeled <Directory /pub>. Either way, the syntax is the same. Use these four directives: AuthType Basic AuthName "Members Only" AuthUserFile /usr/local/httpd2/passwd/.htpasswd Require user mikemc Here the AuthType is Basic because we're using Basic Authentication (the option would be set to Digest if mod_auth-digest was used). The AuthName can be anything and identifies the "realm" or category of that page. In this case, all pages with the AuthName Members Only would have the same password. Thus, when the browser went to another page marked Members Only, it could deliver the same password without forcing the user to retype it in an endless series of pop-up dialog boxes. The AuthUserFile points to the .htpasswd file containing the usernames and passwords. The Require directive specifies the user(s) allowed to access the page. If, instead of one person having access to a resource, you want to create a group of users with the same level of access, create a group file named .htgroup in any text editor with the Group Name and a list of users. Save it in the same directory as .htpasswd. The entry in .htgroup file should look like this: Members: mikemc robsh ltorvalds svillinski The concept of the two files are similar to Linux's /etc/passwd and /etc/group files; .htpasswd stores each username and password hash, and .htgroup aggregates usernames into logical groups. Each group member needs to have a password listed in .htpasswd before access is allowed. Now edit your .htaccess file so that your group has access. AuthType Basic AuthName "Members Only" AuthUserFile /usr/local/httpd2/passwd/.htpasswd AuthGroupFile /usr/local/httpd2/passwd/.htgroups Require group Members Everyone in the Members group would now have access to all pages with the "Members Only" realm. Note You can create as many groups as you want in your .htgroups file. Each entry is a single line listing all its members together, separated only by a space. |